We Can’t Stop Using Terrible Passwords

Even though we all know better

Key Takeaways

  • The most commonly-used passwords take only seconds to guess.
  • Biometrics won’t replace passwords.
  • Your dog won’t be offended if you stop using its name as your password.
person holding and iPhone waiting for passcode

NeONBRAND / Unsplash

Of the 200 most common passwords, the most secure would take a maximum of three hours to crack. One of those is "myspace1," and it only gets worse from there. 

Nord VPN, creator of the NordPass password manager app, has published its annual list of the 200 most common passwords, which could also have been named "200 worst passwords," without anybody arguing. People continue to treat their passwords as an inconvenience (which they are) or as a way to remember their partner's name, their sports team, their pet, or their favorite pop group ("onedirection" made a comeback into the top 200 this year). But why do we create such bad passwords, even though we know they should be better?

"Unfortunately, passwords keep getting weaker, and people still don't maintain proper password hygiene," Jonas Karklys, CEO of NordPass told Lifewire via email. "It's important to understand that passwords are the gateway to our digital lives, and with us spending more and more time online, it's becoming enormously important to take better care of our cybersecurity." 

Bad Passwords

A bad password is one that is easy to guess. One mistake made by many people is they don't know how hacking works. They may think they'll never be targeted, because what does a hoodie-wearing, clicky-keyboard tapping hacker in a darkened room want with them? But as we know, password cracking is largely automated. A computer network sits there running through a list of harvested email addresses, combining them with oft-used passwords, to try to brute-force its way into common online services. 

It might make you feel good when you type in your cute doggie's name into the password field, but if the pup in question is named "Princess," then it'll take one second to guess. "Michael" will take eight seconds; "jessica" only needs seven. Just FYI. 

masked man sitting in the dark with a laptop

Clint Patterson / Unsplash

The other common password—"mistakes"—could also be described as laziness. For example, "qwerty" and "asdf" are perennial entries on the list, but the worst must be "123456." It was the number one password in 2020, with 103,170,552 users (of the four terabytes of data examined by NordPass and independent security researchers). 

123456. Why would anyone choose this? It's possible the user doesn't care. If you're forced to create a login for something you're only going to use once, then what does it matter? Perhaps you're downloading a free song or similar, and the artist asks you to log in to their store to buy it for $0.00. In that case, many people might just make up an email address, then tap a few keys to create the password.

How Can We Improve?

The number one way to create better passwords is to use a password manager app. Several third-party options exist, like 1Password and NordPass, but increasingly, password managers are built into your computer or phone. Apple devices use the iCloud Keychain, which not only auto-fills passwords but can create new, hard-to-guess passcodes with a single tap whenever you sign up for a new service.

And with the latest updates to 1Password and iOS 15, these password apps also create single-use, disposable email addresses for each new signup, making it even harder to guess your login details. They can also handle all those one-time-passcodes that add another layer of security.

The beauty of these systems is that they will never choose your dog's name, or any dogs' names, ever. Unless you named your dog "sewerage ASSASSIN grandson i9GHAVnk6zv," or something similar. You just remember a single, excellent, non-dog-related passcode, and use that to unlock your password manager, which takes care of the rest.

What About Fingerprints?

Other great recent additions are fingerprint and face-readers in our devices. Biometrics are bad ways to authenticate yourself publicly (if your fingerprint is stolen from a database, you cannot change it) but are great for personal use, from unlocking your phone to logging into mobile apps. 

"Unfortunately, passwords keep getting weaker, and people still don't maintain proper password hygiene."

This avoids having to type that long, single password over and over, but it has its downsides. If the cops stop you, they can't compel you to give up a passcode, but they may be able to legally force you to offer up your finger or face—or not.

"While passcodes are considered as a testimonial, biometrics exist objectively and are comparable to giving a DNA or blood sample. So, if the police have a warrant, they can use a person's biological data to unlock their phone," NordPass's Patricija Cerniauskaite told Lifewire via email.

As we have seen already, humans are terrible at this kind of thing, so why not delegate it to a machine?

Was this page helpful?